Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
3
Replies

L2L VPN with PIX525 and Juniper

pemasirid
Level 1
Level 1

‎01-07-2009 07:41 AM - edited ‎02-21-2020 04:07 PM

Hi,

My PIX525 firewall is configured for S2S (already 3 more S2S vpn is configured) with Juniper firewall at the other end.

The problem I'm now facing is that although the tunnel is getting up but no traffic can pass between end-to-end.

When I gave sh crypto ipsec sa I could see following

pixfirewall(config)# sh crypto ipsec sa

interface: outside

Crypto map tag: dyngroup, seq num: 30, local addr: 212.77.203.226

local ident (addr/mask/prot/port): (FIX_CLNT_TST1/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.36.2/255.255.255.255/0/0)

current_peer: 86.51.9.254

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 247, #pkts decrypt: 247, #pkts verify: 247

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#send errors: 0, #recv errors: 228

Can anyone advise me why I'm not able to ping/access the other side of the lan (Juniper firewall side) also I want to make sure whether there's anything wrong in myside (my configuration).

Thanks in advance.

For ready reference I have attached the VPN configuration in my PIX firewall.

Labels:
Preview file
3 KB
0 Helpful
3 Replies 3

Ivan Martinon
Level 7
Level 7

‎01-09-2009 11:46 AM

Hi, As you can see on the show crypto output:

Crypto map tag: dyngroup,

The matched crypto map is a dynamic map, which I assume due to the name. The uploaded configuration shows that this should be using a static crypto map rather than this dynamic.

What happens here is that the SA offer that juniper sends does not match to what the PIX has configured, on your configuration you have the match address using TCP ports (which is not supported by CISCO) but the SA created is using port 0:

local ident (addr/mask/prot/port): (FIX_CLNT_TST1/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.36.2/255.255.255.255/0/0)

Which means that the offering is done with protocol IP (0) rather than TCP (6)

You need to change the match address on your Pix to match IP rather than TCP.

0 Helpful

pemasirid
Level 1
Level 1
In response to Ivan Martinon

‎01-14-2009 01:10 PM

Hi Imartino,

Many thanks for your reply and regret for delay on response.

Yes, the 'sh crypto ipsec sa' output still show Crypto map tag as dyngroup which is configured for remote access VPN.

I changed the static crypto map name outside_map with seq 10 but still its shows the Crypto map tag as dyngroup with its seq no. (30).

I have changed the ACL with IP level rather than TCP but there was no luck. However customer doesnt want to allow IP level and only want to allow access to the particular port (4444 and 4445).

I could see only local indent pkts decaps: 52, #pkts decrypt: 52, #pkts verify: 52 only. (one side) with some error packts.

Please suggest a solution to resolve this issue. The sh crypto ipsec sa output is attached.

thanks in advance.

Preview file
7 KB
0 Helpful

balint.pal
Level 1
Level 1

‎01-15-2009 03:12 AM

Hi,

is your FIX_CLNT_TST1 server in the nonat acl already?

Use the "sh xlate" for more infos.

0 Helpful
Customers Also Viewed These Support Documents